AWS Certificate Manager

Integration with API Gateway
- Create a custom domain name in API Gateway
- For edge optimized API Gateways, The TLS certificate must be in the same region as CloudFront
- For regional API Gateways, The TLS certificate must be imported on API gateway, in the same region as the API Gateway

AWS WAF (Web Application Firewall)

Protection at Layer 7 of the OSI Model
Can be deployed on ALB, CloudFront, API Gateway, AppSync GraphQL API, Cognito User Pool
After deploying the firewall, you create a Web ACL rule:
- Filter based on IP address, HTTP Headers, HTTP body, URI strings, Message Size, geo-match, and rate-based rules
- Web ACL’s are regional. Except for in CloudFront where they are global
How can we get a fixed IP while using WAF with ALB? Use a Global Accelerator in front of the ALB. The Global Accelerator will provide the static IP address, since an ALB cannot have a static IP.

Protect from DDoS attacks
Standard and Advanced SKUs
- Standard is free and included/enabled on all VPCs
- Advanced is $3000/month per organization. Protection from more sophisticated DDoS attacks on EC2, ELB, CloudFront, Global Accelerator, and Route 53. Advanced also included 24/7 access to the DDoS Response Team. Shield Advanced will automatically create WAF rules for you.

Use ML to protect your AWS account
Uses CloudTrail Event Logs, VPC Flow logs, and DNS Logs. Optional EKS audit logs, RDS and Aurora logs, EBS, Lambda, and S3 data events
Can setup EventBridge rules to be notified in case of findings.
Can protect against Crypto Currency attacks

Automated security assessments on EC2 instances. Use AWS SSM Agent to scan the instance
Automated scans of container images pushed to ACR for CVEs
Lambda Functions can be scanned for vulnerabilities in code and package dependencies
Report findings in Security Hub or send findings via EventBridge